Cyber Canon Book Review: Unsecurity

Posted: October 21, 2020

Book written by Evan Francen

Book review by Ron Woerner


Bottom Line:

Information security is a game and we’re losing.  In Unsecurity. Information security is failing. Breaches are epidemic. How can we fix this broken industry?, author Evan Francen explores the many problems with the information security industry and provides his ideas and solutions.

Francen’s Unsecurity is a good wake-up call for those in information security and a good primer for those just getting started. It is deserving to be in the Cybersecurity Canon, however, there’s not enough new or different to elevate it as a Hall of Fame Candidate.

“Information is a game and we’re losing.” Unsecurity is author Evan Francen’s wake-up call to the security industry that we have many challenges and it’s up to security professionals to solve these problems. On the surface this book may seem like a rant, but it’s really a book of hope, ideas and solutions to solve these problems. Evan, an optimist who cares for people, shares his 25+ years of IT and security experience to help those caught up in the day-to-day security battles facing most professionals. It’s a good reminder for those who have been in the game for a while and provides those who are new ideas on its rules and how to play to win. Francen’s Unsecurity is a good book of timely reminders of our common challenges and ways to solve them using people, process and technology. There’s not enough new or different to elevate it as a Canon Hall of Fame Candidate. However, it is deserving to be in the Cybersecurity Canon given its timelessness, content and readability.

On the surface, Unsecurity appears to focus solely on the problems facing security professionals of all levels. Each of the ten high-level problem categories/chapters are experienced by security professionals worldwide. Many of us feel the same pain in each of these areas and are looking for answers.

  1. We’re Not Speaking the Same Language
  2. Bad Foundations
  3. Lipstick on a Pig
  4. Pipe Dreams
  5. The Blame Game
  6. The Herd Mentality
  7. Because I Said So
  8. Empty Promises
  9. The Money Grab
  10. Too Many Few Experts

Francen’s Unsecurity is a book about ways to overcome these deficiencies with each chapter separated into 2 to 5 problem statements with corresponding solutions. Francen uses the problems to catch the reader’s attention and hopefully change their mindset to one of problem-solving rather than complaining. The solutions come from a variety of resources that can apply to any size or type of security program. While they’re generally high-level, they give the reader good ideas on how to address the problems and where to go for more information.

Unsecurity is not a book that has to be read at one sitting or from cover to cover. It’s a good reference for when you encounter a problem wherever you may work and whatever level you may be. You should keep the Table of Contents handy to look up ways a fellow security professional has classified the problem along with his ideas for solutions. For example, a security vendor is pestering you to look at his/her product. Your organization may even have money to spend on a solution in the vendor’s area. That doesn’t mean you should. Chapter 9, The Money Grab explains how to read through the snake oil and FUD (Fear, Uncertainty and Doubt) often pushed by salesmen. It comes down to doing your homework, seeing through FUD, and only buy what you need to avoid shelfware. There are many other ideas like this one to help you through your day as a cybersecurity professional.

Unsecurity is easy to read and written for anyone, no matter your security experience. The solutions can work for anyone, wherever you work, your experience level, or your job function. The problem statements provide a common reference point that resonates with any reader. The solutions are nontechnical and explain simple ways to overcome the problems. Some may wish Francen would go deeper with the solutions and that there were more details regarding technologies or specific procedures. He stays high-level to maintain a simple and functional approach that appeals to any industry.

Unsecurity is Evan Francen’s call to change a broken industry. He wrote it to share his vast experiences and to help others.  While there’s nothing really revolutionary in this book, it provides timeless wisdom and the feeling that we’re all in this game/battle together. Unsecurity shows that solutions to security’s most ubiquitous problems are often right in front of us. We just need to identify them and collectively work to implement the solutions. This is a good book for both experienced and new security professionals and is worthy of being in the Cybersecurity Canon.